Re: [GKD-DOTCOM] Cyber-Security and E-commerce
Dear Mr. Sharkovski, I do understand perfectly your frustration, yet don't share your opinion - or perception - that there are just some powerful anonymous groups out there, which intentionally try to harm Macedonia by putting it on a black list. Why should they? (And by the way, this IMHO applies to almost any developing country, therefore Macedonia may serve just as an example). Under current conditions, there are just 2 recognized public entities that - on the state level - may give you credentials: (a) the US-government (Departments of State and Commerce in their country-profiles and related info, see for instance http://www.mac.doc.gov/ceebic/countryr/Fyrm/MARKET/Macedonia%27s%20Informa ti on%20Technology%20Sector.pdf which in fact makes quite critical observations with respect to laws and ICT in Macedonia). (b) the EU-commission (Commissioner for commerce) in Brussels. Even though not publicly admitted, both are obviously say modulated by general political interest, yet they don't operate anonymously. And there are the private risk-assessment agencies like Standard Poors or the respective risk-assessment departments of banks and [public] trade- or export-risk assurance companies. Hence the only way out - in your situation and similar situations in other countries - is to engage at least one of these public entities and at least one of the private ones in a more formal assessment of your conditions and then distribute their assessment (like percentage of risk-penalties in trade-assurance contracts etc.). Unfair? Yes! Avoidable? Definitively no! Yours sincerely, Cornelio On Friday, October 1, 2004, L Sharkovski [EMAIL PROTECTED] wrote: I think perhaps some on the GKD list have missed the problem that my compatriot in Macedonia is describing. The point, for us at least, is not that there is rampant cyber-criminality in Macedonia that the government has failed to prevent. The point is that it is just as safe to buy from Macedonia, or sell to Macedonians online, as it is from any other country. Yet the organization Exportbureau.com has alleged that there are online fraud schemes based in Macedonia and has placed Macedonia on their list of Suspect Shipping or Contact Addresses. There is no contact address or information listed on THEIR website, so it is extremely difficult to determine who this group is and where they reside (although, after some research, we believe they reside in Taiwan). ..snip... It is bitterly ironic that Macedonia -- a very small country with relatively low cyber-density compared with the industrialized countries in Western Europe and the US -- is accused of being major sources of cyber-fraud. In a world of cyber-criminality, what percentage of that is Macedonian? I will tell you: Zero. Yet our companies are shut off from access to major e-commerce channels. So it is not an issue of lack of laws or lack of enforcement. It is an issue of too much power in the hands of groups that seem to be informal arbiters of which countries are secure enough for e-commerce. Furthermore, they are completely inaccessible and unaccountable. They do not reply to our requests for evidence of their accusation. And there is no way for us to counter their accusation other than trying to publicize our security through discussions like this one. It is difficult for us to convey how frustrating and damaging this situation is for us. In many ways, this type of baseless accusation, which harms our economy, is just as lawless as the accusation they are making. ..snip... This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides more information. To post a message, send it to: [EMAIL PROTECTED] To subscribe or unsubscribe, send a message to: [EMAIL PROTECTED]. In the 1st line of the message type: subscribe gkd OR type: unsubscribe gkd For the GKD database, with past messages: http://www.GKDknowledge.org
Re: [GKD-DOTCOM] Cyber-Security and E-commerce
Dear Colleagues, I am sure there are several ongoing projects addressing the issue of Information Technology in the institutions of learning in the so-called developing countries. Of course Africa as a continent can still use more of such work force training. The issue is not that of allowing a country to do E-Commerce, but that of having the proper framework for proper and secure implementation, that will allow for global virtual enterprise. As pointed out by the Moderator: Cyber-security is essential to e-commerce. Businesses must establish trust with their potential customers. Countries need to prevent cyber-fraud that can cripple e-commerce activity. Yet, developing countries face special obstacles in their efforts to safeguard their companies' e-commerce activities. Many lack a legal infrastructure that can thwart digital crime. These countries also have conditions that foster cyber-crime: many people with sophisticated computer skills and very low incomes, in an environment of expanding organized crime. The e-Centers, as Electronic Commerce Resource Centers, can draw on any sector of the society, especially the small and medium-sized enterprise (SMEs) in Africa. The involvement of the government is very essential because the policies and legal framework have to be coupled with the business standards and enforcement. In addition, the government is the biggest customer in most of the African countries. Therefore, all the stakeholders that understand running of a Virtual Enterprise infrastructure should be attracted to come up with a viable solution in each country. As I pointed out in my previous e-mail, in the US, out of the seventeen Electronic Commerce Resource Centers (ECRC), only two of the centers are run by Universities, the rest are run by private business enterprises with technology hubs, and they were all funded and supported by the government at the inception. A Virtual Enterprise needs the cooperation of all the stakeholders, be it government, educational institution or business entities, to build trust with their customers and create a legal framework that can thwart digital crime. The industrial environment of today consists of numerous organizations working together as a virtual enterprise. As I pointed out in my previous e-mail, the Global Trade and Investment Management Network (GTIM) group in Nigeria and US are taking measures in working with stakeholders in building trust among members and seeking partnerships with organizations interested in cyber-security for Africa. I thank you for your input. Best Regards, O. Olatidoye GTIM US Coordinator On Wednesday, September 29, 2004, Ajay Gupta wrote: I do believe the first and most critical step towards a allowing developing countries (e.g., countries on the African continent) to more fully take part in electronic commerce and the deployment of a secure IT infrastructure is to institute educational training programs in Information Technology and the Secondary and Post-Secondary level. E-Centers and CSIRTs can more easily be implemented by educational institutions that are developing the necessary and qualified work force in the first place. Further, the educational institutions, if self-managed, provide at least one degree of separation between governments and the e-Centers and CSIRTs often raising the credibility of the latter organizations. This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides more information. To post a message, send it to: [EMAIL PROTECTED] To subscribe or unsubscribe, send a message to: [EMAIL PROTECTED]. In the 1st line of the message type: subscribe gkd OR type: unsubscribe gkd For the GKD database, with past messages: http://www.GKDknowledge.org
Re: [GKD-DOTCOM] Cyber-Security and E-commerce
Dear GKD Members, Everything (in developing economies) MUST comply with sustainable and appropriate. In economies where the total number of e-commerce transactions are in the 1000's there is no point in installing or using any technology that costs more than a couple of thousand US$. It would not be sustainable. However, even developing economies are part of the planet. An important part of their development is to institute systems that will put them in synch with the rest of planet so that they can trade (and pay off their debts). The technology would be appropriate. ALL universisal cyber-security protocols are designed to meet the specific requirements of developed economies. I can make that statement because the cost of implementing them usually is un-sustainable. Furthermore, paranoid legal requirements that have been forced on the world since 9/11 have made the administrative and other overheads on a transaction so huge that any system would need massive volumes to pay them off. Developing economies do not have these volumes. So what do we do? We cannot do nothing. The reason for this is that crooks always move to the weak point in the system. If the developed world is successful with their expensive security systems and the weak point becomes the developing world then they would have succeeded in exporting fraud, etc. into the developing economies and we would have to accept that we are, indeed, basket cases. So this is not an option. We have to find sustainable and appropriate ways of implementing cyber-security while still using the same systems that everyone else uses, ie Visa, MasterCard, Sprint, etc. I like the eBay / reputational suggestion below. The problem is that eBay does not settle to any developing world. They welcome you as a buyer, but they will not settle you as a merchant. This is the problem with private systems. Individuals and profit margins make the rules. What we have been experimenting with is the Management of Risk as opposed to the Prevention of Risk. Prevention is proving too expensive and too high an overhead for our infrastructure. However, with so few transactions, maybe we can just insure against the risk. Or, maybe, change our pricing so that we can build up a pool to fund risk when it happens. Believe it or not, this works out much cheaper than implementing some of the security protocols like EMV, 3D Secure, VbyV, etc. There is something we are doing on the reputational side. We are moving away from universal VeriSign type certificates and starting to issue our own, cheaper certificates. This works very well and we have found that there are very few rejections of these certificates. It is incumbent on the Issuer to ensure that their reputation does not cause users to reject the certificate. I would love to hear if anyone has ony other ideas on how to approach these issues. On Wednesday, September 29, 2004, [EMAIL PROTECTED] wrote: Femi Oyesanya wrote: Organizations in developing Countries ought to adopt International Certification and accreditation standards. For example, ISO 11799. The challege is finding qualified expertise to implement adoption of these standards. I suppose Femi's suggestion could work for fairly established firms, but it would simply raise the barriers to small e-business development. Why don't we take the cue from empirical cases? Take eBay for example. While there have been cases of grand abuses (e.g., the laptop sale scandal a year or two back), it has remained a very popular site for incidental or systematic e-businesspersons. Trust is built by repeated transactions - and eBay aptly recognizes this by appending the net positive feedback you have from previous transaction partners (buyers and sellers) to the name you use on the site. A first-timer at eBay would readily be viewed with suspicion. Many sellers avoid this risk by declaring outright they will not transact with anyone not having positive feedback. It becomes increasingly important then to maintain a good reputation (i.e., net positive feedback) to gain the trust of new buyers/sellers and maintain that of previous ones. Your reputation becomes the de facto certification of good business practice, and presumably, security. From this rudimentary - if naive - case, what is seemingly important for developing countries are two things: 1) In lieu of harping on security for each individual firm, it might be better to ensure security at the marketplace - i.e., where transactions are conducted; and 2) the guarantee of security is not in keeping information closed, but rather, transparent - open and accessible. This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides more information. To post a message, send it to: [EMAIL PROTECTED] To subscribe or unsubscribe, send a message to: [EMAIL PROTECTED]. In the 1st line of the message type: subscribe gkd
[GKD-DOTCOM] Cyber-Security, Policy and Cyber-Terrorism
Preventing cyber-terrorism demands an effective international legal infrastructure and strong national and cross-border law enforcement mechanisms. To build the infrastructure, countries must be able and willing to negotiate viable settlements. Yet, as criminal and terrorist organizations adeptly operate across borders, governments flounder in their attempts at cross-border collaboration. The problem deepens when they do not share borders. Worse yet, developing countries are often left out of these negotiations altogether. As governments grow more determined to fight cyber-crime and cyber-terrorism, new issues arise. Governments and citizens struggle to distinguish between legitimate anti-terrorism efforts and illegitimate invasion of privacy. Take international terrorist lists of US government agencies and Interpol, for example. Some consider them essential, while others question their fairness and accuracy. Long-standing suspicion and mistrust also hobbles collaboration between key players in cyber-security: developing countries and industrialized countries, businesses and civil society. Key questions: 1) How can international and regional organizations build effective international legal frameworks that address cyber-crime and cyber-terrorism? What role should civil society play? 2) How can we ensure that developing countries participate equitably in creating international legal frameworks? 3) Are there developing countries with model legal frameworks that foster global collaboration to thwart cyber-crime and cyber-terrorism? 4) What dangers arise in creating an international legal infrastructure to prevent cyber-crime and cyber-terrorism? What checks and balances are needed? 5) What is needed to build trust and collaboration between the private sector and civil society? Are there concrete examples of success stories? 6) What tools and techniques are effective and appropriate for developing countries, e.g., collective knowledge management linked to security measures? 7) What consequences do developing countries face if they -- or donor organizations -- ignore the threat of cyber-crime and cyber-terrorism? This DOT-COM Discussion is funded by the dot-ORG USAID Cooperative Agreement, and hosted by GKD. http://www.dot-com-alliance.org provides more information. To post a message, send it to: [EMAIL PROTECTED] To subscribe or unsubscribe, send a message to: [EMAIL PROTECTED]. In the 1st line of the message type: subscribe gkd OR type: unsubscribe gkd For the GKD database, with past messages: http://www.GKDknowledge.org